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Abstract — Future power networks will be characterized by 
safe and reliable functionality against physical malfunctions and 
cyber attacks. This paper proposes a unified framework and 
advanced monitoring procedures to detect and identify network 
components malfunction or measurements corruption caused 
by an omniscient adversary. We model a power system under 
cyber-physical attack as a linear time-invariant descriptor 
system with unknown inputs. Our attack model generalizes 
the prototypical stealth, (dynamic) false-data injection and 
replay attacks. We characterize the fundamental limitations 
of both static and dynamic procedures for attack detection 
and identification. Additionally, we design provably-correct 
(dynamic) detection and identification procedures based on 
tools from geometric control theory. Finally, we illustrate the 
effectiveness of our method through a comparison with existing 
(static) detection algorithms, and through a numerical study. 

I. Introduction 

Problem setup Recent studies and real-world incidents 
have demonstrated the inability of the power grid to ensure 
a reliable service in the presence of network failures and 
possibly malignant actions [1], [2]. Besides failures and 
attacks on the physical power grid infrastructure, the envi- 
sioned future smart grid is also prone to cyber attacks on its 
communication layer. In short, cyber-physical security is a 
fundamental obstacles challenging the smart grid vision. 

A classical mathematical model to describe the grid on 
the transmission level is the so-called structure-preserving 
power network model, which consists of the dynamic swing 
equation for the generator rotor dynamics, and of the al- 
gebraic load-flow equation for the power flows through the 
network buses [3]. In this work, we consider the linearized 
small signal version of the structure-preserving model, which 
is composed by the linearized swing equation and the DC 
power flow equation. The resulting linear continuous-time 
descriptor model of a power network has also been studied 
for estimation and security purposes in [4], [5], [6]. 

From static to dynamic detection Existing approaches to 
security and stability assessment are mainly based upon static 
estimation techniques for the set of voltage angles and mag- 
nitudes at all system buses, e.g., see [8]. Limitations of these 
techniques have been often underlined, especially when the 
network malfunction is intentionally caused by an omniscient 
attacker [7], [9]. The development of security procedures 
that exploit the dynamics of the power network is recog- 
nized [10] as an outstanding important problem. We remark 
that the use of static state estimation and detection algorithms 
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Fig. 1. For the here represented IEEE 14 bus system, if the voltage angle of 
one bus is measured exactly, then a cyber attack against the measurements 
data is always detectable by our dynamic detection procedure. In contrary, 
as shown in [7], a cyber attack may remain undetected by a static procedure 
if it compromises as few as four measurements. 



has been adopted for many years for several practical and 
technological reasons. First, because of the low bandwidth 
of communication channels from the measuring units to the 
network control centers, continuous measurements were not 
available at the control centers, so that the transient behavior 
of the network could not be captured. Second, a sufficiently 
accurate dynamic model of the network was difficult to 
obtain or tune, making the analysis of the dynamics even 
harder. As of today, because of recent advances in hardware 
technologies, e.g., the advent of Phasor Measurement Units 
and of large bandwidth communications, and in identification 
techniques for power system parameters [11], these two 
limitations can be overcome. Finally, a dynamic estimation 
and detection problem was considered much harder than 
the static counterpart. We address this theoretic limitation 
by improving upon results presented in [12], [13] for the 
security assessment of discrete time dynamical networks. 

Literature review on dynamic detection Dynamic secu- 
rity has been approached via heuristics and expert systems, 
e.g., see [14]. Shortcomings of these methods include relia- 
bility and accuracy against unforeseen system anomalies, and 
the absence of analytical performance guarantees. A different 
approach relies on matching a discrete-time state transition 
map to a series of past measurements via Kalman filtering, 
e.g., see [15], [16] and the references therein. Typically, these 
transition maps are based on heuristic models fitted to a 
specific operating point [15]. Clearly, such a pseudo-model 
poorly describes the complex power network dynamics and 
suffers from shortcomings similar to those of expert systems 
methods. In [16], the state transition map is chosen more 



accurately as the linearized and Euler-discretized power 
network dynamics. The local observability of the resulting 
linear discrete-time system is investigated in [16], but in 
the absence of unforeseen attacks. Finally, in [17] a graph- 
theoretic framework is proposed to evaluate the impact of 
cyber attacks on a smart grid and empirical results are given. 

Recent approaches to dynamic security consider 
continuous-time power system models and apply dynamic 
techniques [4], [5], [6], [18]. While [18] adopts an 
overly simplified model neglecting the algebraic load flow 
equations, the references [4], [5], [6] use a more accurate 
network descriptor model. In [5] different failure modes are 
modeled as instances of a switched system and identified 
using techniques from hybrid control. This approach, though 
elegant, results in a severe combinatorial complexity in the 
modeling of all possible attacks. In our earlier work [6], 
under the assumption of generic network parameters, we 
state necessary and sufficient conditions for identifiability 
of attacks based on the network topology. Finally, in [4] 
dynamical filters are designed to isolate certain predefined 
failures of the network components. With respect to this 
last work, we assume no a priori knowledge of the set 
of compromised components and of their compromised 
behavior. Our results generalize and include those of [4]. 

Contributions This paper's contributions are fourfold. 
First, we provide a unified modeling framework for dynamic 
power networks subject to cyber-physical attacks. For our 
model, we define the notions of detectability and identifi- 
ability of an attack by its effect on output measurements. 
Informed by the classic work on geometric control the- 
ory [19], [20], our framework includes the deterministic 
static detection problem considered in [7], [9], and the 
prototypical stealth [21], (dynamic) false-data injection [22], 
and replay attacks [23] as special cases. Second, we focus 
on the descriptor model of a power system and we show the 
fundamental limitations of static and dynamic detection and 
identification procedures. Specifically, we show that static 
detection procedures are unable to detect any attack affecting 
the dynamics, and that attacks corrupting the measurements 
can be easily designed to be undetectable. On the contrary, 
we show that undetectability in a dynamic setting is much 
harder to achieve for an attacker. Specifically, a cyber- 
physical attack is undetectable if and only if the attackers' 
input signal excites uniquely the zero dynamics of the 
input/output system. (As a complementary result, our work 
[6] gives necessary and sufficient graph-theoretic conditions 
for the absence of zero dynamics, and hence for the absence 
of undetectable attacks.) Third, we propose a detection 
and identification procedure based on geometrically-designed 
residual filters. Under the assumption of attack identifiability, 
our method correctly identifies the attacker set independently 
of its strategy. From a system-theoretic perspective, correct 
identification is implied by the absence of zero dynamics in 
our proposed identification filters. Our design methodology 
is applicable to linear systems with direct input to output 
feedthrough, and it generalizes the construction presented in 
[24]. Fourth and finally, we illustrate the potential impact of 



our theoretical results on the standard IEEE 14 bus system 
(cf. Fig. [TJ. For this system it is known [7] that an attack 
against the measurement data may remain undetected by a 
static procedure if the attacker set compromises as few as 
four measurements. We show here instead that such an attack 
is always detectable by our dynamic detection procedure 
provided that at least one bus voltage angle or one generator 
rotor angle is measured exactly. 

We conclude with two remarks on our contributions. First, 
our results (the notions of detectability and identifiability, the 
fundamental limitations of static versus dynamic monitoring, 
and the geometric design of detection and identification fil- 
ters) are analogously and immediately applicable to arbitrary 
index-one descriptor systems, thereby including any linear 
system x — Ax + Bu, y = Cx + Du, with attack signal u. 
Second, although we treat here the noiseless case, it is well 
known [25] that our deterministic detection filters are the 
key ingredient, together with Kalman filtering and hypothesis 
testing, in the design of statistical identification methods. 

Organization Section [TT] presents the descriptor system 
model of a power network, our framework for the modeling 
of cyber-physical attacks, and the detection and identification 
problem. Section pi] states the fundamental limitations of 



static and dynamic detection procedures. Section IV presents 



the residual filters for dynamic detection and identification. 
Section [V] contains the IEEE 14 bus system case study. 

II. Cyber-physical attacks on power networks 

A. Structure-preserving power network model with cyber 
and physical attacks 

We consider the linear small-signal version of the clas- 
sical structure-preserving power network model [3]. This 
descriptor model consists of the dynamic linearized swing 
equation and the algebraic DC power flow equation. A 
detailed derivation from the nonlinear structure-preserving 
power network model can be found, for instance, in [4], [6]. 

Consider a connected power network consisting of n gen- 
erators {gi, . . . , g n }, their associated n generator terminal 
buses ,6 n }, and m load buses {b n +i, . . . , b n+m }. 

The interconnection structure of the power network is en- 
coded by a connected admittance-weighted graph. The gen- 
erators gi and buses 6,; form the vertex set of this graph, 
and the edges are given by the transmission lines {bi,bj} 
weighted by the susceptance between buses b{ and bj, as well 
as the internal connections {gi, &;} weighted by the transient 
reactance between each generator and its terminal bus bj. 
The Laplacian matrix associated to the admittance-weighted 
graph is the symmetric matrix E R( 2 "+ m ) x (2«+™) > 

where the first n entries are associated with the generators 
and the last n + m entries correspond to the buses. The 
differential-algebraic model of the power network is given 
by the linear continuous-time descriptor system 



Ex(t) = Ax(t) + P(t), 



(1) 



where the state x = [S T cu T 9 T ] T € iR2n+m cons i sts f me 
generator rotor angles 6 € K™, the frequencies ui g R™, 
and the bus voltage angles 9 £ W n . The input term P(t) 



is due to known changes in mechanical input power to the 
generators or real power demand at the loads. Furthermore, 
the descriptor system matrices are 
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where M (resp. £> g ) is the diagonal matrix of the gener- 
ators' inertias (resp. damping constants). The dynamic and 
algebraic equations of the linear descriptor system ([TJ are 
classically referred to as the linearized swing equation and 
the DC power flow equation, respectively. Notice that the 
initial condition of system ([TJ needs to obey the algebraic 
constraint A g ^(0) + C n 9(0) = P e (0), where P g (0) is the 
vector containing the entries {2n + 1, . . . , 2n + m} of P(0). 
Finally, we assume the parameters of the power network 
descriptor model ([T| to be known, and we remark that 
they can be either directly measured, or estimated through 
dynamic identification techniques, e.g., see [11]. 

Throughout the paper, the assumption is made that a 
combination of the state variables of the descriptor system 
([TJ is being continuously measured over time. Let C £ M. pxn 
be the output matrix and let y(t) = Cx[t) denote the p- 
dimensional measurements vector. Moreover, we allow for 
the presence of unknown disturbances affecting the behavior 
of the plant ([TJ, which, besides reflecting the genuine failure 
of network components, can be the effect of a cyber-physical 
attack against the network. We classify these disturbances 
into state attacks, if they show up in the measurements 
vector after being integrated through the network dynamics, 
and output attacks, if they corrupt directly the measurements 
vectorfH The network dynamics in the presence of a cyber- 
physical attack can be written as 



Ex(t) = Ax(t) + [F 0] 



y{t) = Cx{t) + [0 L] 



D 
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(3) 



The input signals f(t) and £(t) are referred to as state 
and output attack modes, respectively. The attack modes are 
assumed to be unknown and piece-wise continuous functions 
of time of dimension 2n + m and p, respectively, and they 
act through the full rank matrices F € R (2n+ro) x (2n+m) 
and L g R pxp . For notational convenience, and without 
affecting generality, we assume that each state and output 
variable can be independently compromised by an attacker. 
Therefore, we let F and L be the identity matrices of 
dimensions 2n + m and p. The attack mode u(t) depends 
upon the specific attack profile. In the presence of k £ No, 
k < 2n + m + p, attackers indexed by the attack set 
K C {1, . . . , 2n + m+p}, the corresponding (vector) attack 
mode t H> liff(i) € ^ 2n + m +p has exactly k nonzero entries 

'Because of the linearity of {TJ, the known input P(t) can be neglected, 
since it does not affect the detectability of unknown input attacks. 



Ufc,i{t) for i £ K. Accordingly, the pair (Bk,Dk) is called 
attack signature, where Bk and Dk are the submatrices of 
B and D with columns indexed by K. 

The model <(3j is very general, and it can capture the 
occurrence of several concurrent contingencies in the power 
network, which are caused either by components failure or 
external attacks]^] For instance, 

(i) a change in the mechanical power input to generator i 
(resp. in the real power demand of load j) is described 
by the attack signature (Sj,0) (resp. (i?2n+j,0)), and 
a non-zero attack mode u n+ i(t) (resp. U2n+j{t)); 

(ii) a line outage occurring on the line {r,s} is modeled 
by the signature (\B r B s ], [0 0]) and a non-zero mode 
[Ur(t) u s (t)] T [4]; and 

(iii) the failure of sensor i, or the corruption of the i-th 
measurement by an attacker is captured by the signa- 
ture (0, D 2 n+m+i) and a non-zero mode u 2n + m +i(t)- 

B. Notions of detectability and identifiability for attack sets 

In this section we present the problem under investigation 
and we recall some definitions. Observe that a cyber-physical 
attack may remain undetected from the measurements if there 
exists a normal operating condition of the network under 
which the output would be the same as under the perturbation 
due to the attacker. Let x(xo,u,t) denote the network state 
trajectory generated from the initial state xq under the attack 
signal u(t), and let y(xo,u,t) be the output sequence for 
the same initial condition and input. Throughout the paper, 
let T C IR >0 denote the set of time instants at which the 
presence of attacks against the network is checked. 

Definition 1 (Undetectable attack set): For the linear 
descriptor system d3J, the attack set K is undetectable if there 
exist initial conditions X\,X2 £ M. 2n+m , and an attack mode 
upc(t) such that, for all t £T, y(x\,UK,t) = y(x2,0,t). 

A more general concern than detection is identifiability of 
attackers, i.e., the possibility to distinguish from measure- 
ments between the action of two distinct attacks. 

Definition 2 (Unidentifiable attack set): For the linear 
descriptor system (j3j, the attack set K is unidentifiable if 
there exists an attack set R, with \R\ < \K\ and R ^ K, 
initial conditions xk, xr £ E 2n+m , and attack modes ux{t), 
Ur{£) such that, for all t £T, y(xK,UK,t) = y(xn,un,t). 

Of course, an undetectable attack is also unidentifiable, 
since it cannot be distinguished from the zero input. The 
converse does not hold. The security problem we consider 
in this paper is as follows. 

Problem: (Attack detection and identification) For the 

linear descriptor system ((3), design an attack detection and 
identification procedure. 

Definitions [T] and [2] are immediately applicable to arbi- 
trary constrol systems subjects to external attacks. Before 
proposing a solution to the Attack detection and identification 
Problem, we motivate the use of a dynamic detection and 
identification algorithm by characterizing the fundamental 
limitations of static and dynamic procedures. 

2 Genuine failures are a subcase of intentional cyber-physical attacks. 



III. Limitations of static and dynamic procedures 

FOR DETECTION AND IDENTIFICATION 

The objective of this section is to show that some fun- 
damental limitations of a static detection procedure can be 
overcome by exploiting the network dynamics. We start by 
deriving a reduced state space model for a power network, 
which is convenient for illustration and analysis purposes. 

A. Kron-reduced representation of a power network 

For the system let F = [fJfIf^] t , L = 

[l] l~1 lJ] T , and C — [c s c a Ce], where the partitioning 
reflects the state x = [5 T us T 6 T ] T . Since the network 
Laplacian matrix is irreducible (due to connectivity), the 
submatrix C\\ in |2) is invertible and the bus voltage angles 
9(t) can be expressed via the generator rotor angles 5(t) and 
the state attack mode fit) as 



0(t) = -C-'dJit) - C-'Fefit). 



(4) 



Hence, the descriptor system Q is of index one [4]. The 
elimination of the algebraic variables 9(t) in the descriptor 
system <|3j leads to the state space system 
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(5) 



y(t) = [C s - CgC^dg C u ] 



[-CgL^Fe L]u. 



This reduction of the passive bus nodes is known as Kron 
reduction in the literature on power networks and circuit 
theory [26]. In what follows, we refer to <|5j as the Kron- 
reduced system. Accordingly, for each attack set K, the 
attack signature (Bk,Dk) is mapped to the corresponding 
signature (Bk, Aft) m the Kron-reduced system through the 
transformation for the matrices B and D described in (|5). 
Clearly, for any state trajectory of the Kron-reduced (|5), the 
corresponding state trajectory of the (non-reduced) descriptor 
power network model ([3]) can recovered by identity Q. 

We point out the following subtle but important facts, 
which are easily visible in the Kron-reduced system Q. First, 
a state attack Fgf(t) on the buses affects directly the output 
y(t). Second, for a connected bus network, the lower block 
of A is a fully populated Laplacian matrix, and C^ 1 and 
CgiC^ 1 are both positive matrices [26]. As one consequence, 
an attack on a single bus affects the entire network and 
not only the locally attacked node or its vicinity. Third and 
finally, the mapping from the input signal u(t) and the initial 
condition :r(0) (subject to the constraint Q evaluated at 
t = 0) to the output signal y(t) of the descriptor system 
|3]l coincides with the corresponding input and initial state 
to output map of the associated Kron-reduced system Q. 
Hence, the definition of identifi ability (resp. detectability) of 



an attack set is analogous for the Kron-reduced system (|5), 
and we can directly state the following lemma. 

Lemma 3.1: (Equivalence of detectability and identi- 
flability under Kron reduction): For the power network 
descriptor system Q, the attack set K is identifiable (resp. 
detectable) if and only if it is identifiable (resp. detectable) 
for the associated Kron-reduced system (pp. 

Following Lemma 3.1 we study detectability and identifi- 
ability of attacks against the power network descriptor model 
|3]l by analyzing the associated Kron-reduced system Q. 

B. Fundamental limitations of a Static Detector 

By Static Detector, or, with the terminology of [8], Bad 
Data Detector, we denote an algorithm that uses the network 
measurements to check for the presence of attacks at some 
predefined instants of time, and without exploiting any rela- 
tion between measurements taken at different time instants. 
By Definition[T] an attack is undetectable by a Static Detector 
if and only if, for all time instances t in a countable set T, 
there exists a vector such that y{t) = C^(t). Without 
loss of generality, we set T = N. Loosely speaking, the 
Static Detector checks whether, at a particular time instance 
t £ N, the measured data is consistent with the measurement 
equation, for example, the power flow equation at a bus. 
Notice that our definition of Static Detector is compatible 
with [7], where an attack is detected if and only if the 
residual r(t) = y(t) — C[S(t) T u)(t) T ] T is nonzero for some 
t G N, where [8{t) T Cj(t) T ] T = &y(t). If r(t) ^ 0, then a 
malfunction is detected, and it is undetected otherwise]^] 

Theorem 3.2: (Static detectability of cyber-physical at- 
tacks) For the power network descriptor system ([3]) and an 
attack set K, the following two statements are equivalent: 

(i) the attack set K is undetectable by a Static Detector; 

(ii) there exists an attack mode UK(t) such that, for some 
S(t) and uj(t), at every t G N it holds 

\s(ty 



c 



w(t) 



+ Du K {t) = 0, 



(6) 



where C and D are as in (j5J. 
Moreover, there exists an attack set K undetectable by a 
Static Detector if and only if there exist x g M. 2n and g £ 
Rl K l such that Cx + D K g = 0. 

Before presenting a proof of the above theorem, we 
highlight that a necessary and sufficient condition for the 
equation |6| to be satisfied is that L£(t) € Im(C) at all times 
t £ N, where £(t) is the output attack mode, i.e., the vector 
of the last p components of UK(t). Hence, statement (ii) in 



Theorem 3.2 implies that no state attack can be detected by 
a static detection procedure, and that an undetectable output 
attack exists if and only if lm.{D K ) n Im(C) ^ {0}. 

Proof of Theorem 3.2 1 As previously discussed, the attack 



K is undetectable by a Static Detector if and only if for each 
t £ N there exists S(t), co(t), and UK(t) such that 

\5(t) 



r(t) - y(t) - C&y(t) = (I - C&) C 



w(t) 



Du K (t) 



3 Similar conclusion can be drawn for the case of noisy measurements. 



vanishes. Consequently, r(t) = (I — CC^)DuK{t), and the 
attack set K is undetectable if and only if Duic(t) G Im(C), 
which is equivalent to statement (ii). The last necessary and 
sufficient condition in the theorem follows from (ii). ■ 

We now focus on the static identification problem. Fol- 
lowing Definition [2] the following result can be asserted. 

Theorem 3.3: (Static identification of cyber-physical at- 
tacks) For the power network descriptor system ([3]) and an 
attack set K, the following two statements are equivalent: 

(i) the attack set K is unidentifiable by a Static Detector; 

(ii) there exists an attack set R, with \R\ < \K\ and R ^ 
K, and attack modes Uic(t), Uit(t), such that, for some 
6(t) and w(t), at every t G N, it holds 



C 



6(t) 
<"(t) 



D(u K (t) + u R {t)) = 0, 



where C and D are as in (BJ. 
Moreover, there exists an attack set K unidentifiable by a 
Static Detector if and only if there exists an attack set K, 
\K\ < 2\K\, which is undetectable by a Static Detector. 

Similar to the fundamental limitations of static detectabil- 



ity in Theorem 3.2 Theorem 3.3 implies that, for instance, 
state attacks cannot be identified and that an undetectable 
output attack exists if and only if Im(D^) D Im(C) ^ {0}. 



Proof of Theorem 3.3 Because of the linearity of the 
system (|3), the unidentifiability condition in Definition [2] 
is equivalent to y(xx — xr,uk — UR,t) = 0, for some 
initial condition xk, Xr, and attack mode ux(t), ur(£). 
The equivalence between statements (i) and (ii) follow. The 
last statement follows from Theorem 13.21 ■ 



C. Fundamental limitations of a Dynamic Detector 

In the following we refer to a security system having 
access to the continuous time measurements signal y(t), 
t G K>o, as a Dynamic Detector. As opposed to a Static 
Detector, a Dynamic Detector checks for the presence of 
attacks at every instant of time t G R>o- By Definition [T| 
an attack is undetectable by a Dynamic Detector if and only 
if there exists a network initial state £(0) G K 2ra such that 
y(t) = Ce At £,(0) for all time instances t G M>o- Intuitively, a 
Dynamic Detector is harder to mislead than a Static Detector. 

Theorem 3.4: (Dynamic detectability of cyber-physical 
attacks) For the power network descriptor system ^ and an 
attack set K, the following two statements are equivalent: 

(i) the attack set K is undetectable by a Dynamic Detec- 
tor; 

(ii) there exists an attack mode u;((() such that, for some 
(5(0) and w(0), at every t G K> , it holds 



Ce 



At 



6(0) 
w(0) 



C e Ait - T ^Bu K (T)dT = -Du K (t), 



where A, B, C, and D are as in |5]). 
Moreover, there exists an attack set K undetectable by a 
Dynamic Detector if and only if there exist s G C, g G 



and x € M 2 ", x ^ 0, such that (si 
Cx + D K g = 0. 



A)x — Bxg = and 



Before proving Theorem 3.4 some comments are in order. 



First, state attacks can be detected in the dynamic case. Sec- 
ond, an attacker needs to inject a signal which is consistent 
with the network dynamics at every instant of time to mislead 
a Dynamic Detector. Hence, as opposed to the static case, 
the condition L£(t) G Im(C) needs to be satisfied for every 
t G M> , and it is only necessary for the undetectability 
of an output attack. Indeed, for instance, state attacks can be 
detected even though they automatically satisfy the condition 
= L£(t) G Im(C). Third and finally, according to the last 
statement of Theorem |3.4| the existence of invariant zeros 
for the Kron-reduced system (A,Bk,C,£>k) is equivalent 
to the existence of an undetectable attack mode uk (£)F]As a 
consequence, for the absence of undetectable cyber-physical 
attacks, a dynamic detector performs better that a static 
detector, while requiring, possibly, fewer measurements. A 
related example is in Section [V] 

By Definition [T] and linearity of 



Proof of Theorem 3.4 



the system |5]), the attack mode tt#(t) is undetectable by a 
Dynamic Detector if and only if there exists [<5(0) T u;(0) T ] T 
such that y{[5(0) T w(0) T ] T , u K , t) = for all t G M> . 
Hence, statements (i) and (ii) are equivalent. Following 



condition (ii) in Theorem 3.4 an attack UR-(t) may remain 
undetected to a Dynamic Detector if and only if uk (t) is an 
input-zero for some initial condition. ■ 

We now focus on the identification problem. 

Theorem 3.5: (Dynamic identifiability of cyber-physical 
attacks) For the power network descriptor system Q, the 
following two statements are equivalent: 

(i) the attack set K is unidentifiable by a Dynamic De- 
tector; 

(ii) there exists an attack set R, with \R\ < \K\ and R ^ 
K if \R\ = \K\, and attack modes ujc(t), Ur(£), such 
that, for some (5(0) and cj(0), at every t G M>o, it 
holds 



Ce 



A l 



6(0)- 
w(0)J 
D(u K (t) 



+ C e A(t ~ T ^B(u K (T) + u R (T))dT 



u R (t)) 



\K\ 



where A, B, C, and D are as in ([5]). 

Moreover, there exists an attack set K unidentifiable by a 
Dynamic Detector if and only if there exists an attack set K, 
\K\ < 2\K\, which is unidentifiable by a Dynamic Detector. 

Proof: Notice that, because of the linearity of the system 
Q, the unidentifiability condition in Definition [2] is equiva- 
lent to the condition y(xK — xr, uk — ur, t) = 0, for some 
initial condition xk, xr, and attack mode ux(t), ur. The 
equivalence between statements (i) and (ii) follows. ■ 

4 For the system (A, Bk, C, Dk), the value s £ C is an invariant zero if 
there exists x S K 2n , with a; /0,j£ Rl k I , such that (si— A)x— Bk9 = 
and Cx + DkB = 0. For a linear dynamical system, the existence of 
invariant zeros is equivalent to the existence of zero dynamics [20]. 



In other words, the existence of an unidentifiable attack 
set of cardinality k is equivalent to the existence of invariant 
zeros for the system (A,B^,C,Dj^), for some attack set 
K with \K\ < 2k. A careful reader may notice that 
condition (ii) in Theorem 3.4 is hard to verify because of its 
combinatorial complexity: one needs to certify the absence 
of invariant zeros for all possible distinct pairs of \K\- 
dimensional attack sets. Then, a conservative verification of 
condition (ii) requires ( 2 "^|^| fp ) tests. In [6] we partially 
address this complexity problem by presenting an intuitive 
and easy to check graph-theoretic condition for a given 
network topology and generic system parameters. 

Remark 1: (Stealth, false-data injection, and replay 
attacks) The following prototypical attacks can be modeled 
and analyzed through our theoretical framework: 

(i) stealth attacks, as defined in [21], correspond to output 
attacks satisfying DxitKit) E Im(C); 

(ii) (dynamic) false-data injection attacks, as defined in 
[22], are output attacks rendering the unstable modes 
(if any) of the system unobservable. These unobserv- 
able modes are included in the invariant zeros set; and 

(iii) replay attacks, as defined in [23], are state and output 
attacks satisfying Im(C) C lm(D K ), B K ^ 0. 
The resulting system may have an infinite number of 
invariant zeros: if the attacker knows the system model, 
then it can cast very powerful undetectable attacks. 

In [23], a monitoring signal (unknown to the attacker) is 
injected into the system to detect replay attacks. It can be 
shown that, if the attacker knows the system model, and if the 
attack signal enters additively as in ((3), then the attacker can 
design undetectable attacks without knowing the monitoring 
signal. Therefore, the fundamental limitations presented in 
Section [III] are also valid for active detectors, which are 
allowed to inject monitoring signals to reveal attacks. □ 

IV. Design of dynamic detection and 

IDENTIFICATION PROCEDURES 
A. Detection of attacks 

We start by considering the attack detection problem, 



whose solvability condition is in Theorem 3.4 We propose 
the following residual filter to detect cyber-physical attacks. 

Theorem 4.1 (Attack detection filter): Consider the 
power network descriptor system ([3]l and the associated 
Kron-reduced system (|5j. Assume that the attack set is 
detectable and that the network initial state x(0) is known. 
Consider the detection filter 



w(t) 
rit) 



(A + GC)w(t) 
Cw(t)-y(t), 



Gy(t), 



(7) 



where w(0) = x(0), and G E R 2nx P is such that A + GC 
is a Hurwitz matrix. Then r(t) = at all times t E M>o if 
and only if u(t) = at all times t E R>o- 

Proof: Consider the error e(t) = w(t) — x(t) between the 
states of the filter |7]i and the Kron-reduced system (|5). The 



error dynamics with output r(t) are then 

e(t) = (A + GC)e(t)-(B + GD)u(t), 

~ (o) 

r(t) = Ce(t) - Du(t), 

where e(0) = 0. Clearly, if the error system ([8} has no 
invariant zeros, then r(t) = for all t E M>o if and only if 
u(t) = for all t E ]R>o and the claimed statement is true. 
The error system ([H} has no invariant zeros if and only if 
there exists no triple (s, w, g) E C x R 2 " x W satisfying 
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The second equation of |9]) yields Cx — Dg. Thus, by 
substituting Cx by Dg in the first equation of mt, the set of 
equations |9]) can be equivalently written as 

si- A B 

<5 -d 

Finally, note that the solution (s,—w,g) to the above set 
of equations yields an invariant zero, zero state, and zero 
input for the Kron-reduced system Q. By the detectability 
assumption, the Kron-reduced system |5]l has no zero dy- 
namics. We conclude that the error system ([8]) has no zero 
dynamics, and the statement is true. ■ 

In summary, the implementation of the residual filter |7]) 
guarantees the detection of any detectable attack set. 

B. Identification of attacks 

We now focus on the attack identification problem, whose 
solvability condition is in Theorem [33] Unlike the detection 
case, the identification of the attack set K requires a combi- 
natorial procedure, since, a priori, K is one of the ( 2 ™|^| +p ) 
possible attack sets. As key component of our identification 
procedure, we propose a residual filter to determine whether 
a predefined set coincides with the attack set. 

We next introduce in a coordinate-free geometric way the 
key elements of this residual filter based on the notion of 
condition-invariant subspaces [20]. Let K be a fc-dimensional 
attack set, and let Bk, £>k be as defined right after the 
Kron reduced model Let [V£ Q T K } T E W x p be an 
orthonormal matrix such that 

Vk = Basis(Im(Z)^)), and Qk — Basis(Im(L'A') ± )! 
and let 

B z = B K {V K D K )\ and B K = B K (I - D K rf K ). (10) 

Define the subspace S* C M. 2n to be the smallest 
(A - B K (V K D K yV K C , Ker(Q if C'))-conditioned invariant 
subspace containing Im(Bx), and let Jk be an output 
injection matrix such that 

{A-B k (V k D k )^VkC + J k Q k C)S* CS*. (11) 

Let Px be an orthonormal projection matrix onto the quo- 
tient space K 2 ™ \ S*, and let 

A K = P K (A - B K (V K b K yv K C + JkQkC)P t k . (12) 



(13) 



Finally, let Hk and the unique Mk be such that 

Kct{H k QC) = S* + Ker(QC), and 

H K QC = M K P K . 

Theorem 4.2 (Attack identification filter): Consider the 
power network descriptor system ([3) and the associated 
Kron-reduced system Q. Assume that the attack set K 
is identifiable and that the network initial state is known. 
Consider the identification filter 

w K {t) =(A K + G K M K )w K (t) 

+ (PkBzVk - (PkJk + G K H K )Q)y{t), (14) 

r K (t) =M K w K (t) - H K Qy(t), 

where w K (0) = P K x(0), and G K e R 2nx P is such that 
Ak + GkMk is a Hurwitz matrix. Then r^(t) = at all 
times t £ M>o if and only if K equals the attack set. 

Note that the residual tk (t) is identically zero if the attack 
set coincides with K, even if the attack input is nonzero. 



Proof of Theorem 4.2- Let R be an attack set with \R\ < 
\K\ and K. With the output transformation [2:1,2:2] = 
Wk Hi Qku], the Kron-reduced system |5]l becomes 

u K (t) 



x(t) = Ax(t) 



Bk Bj 



UR(t) 



(15) 



zi(t) = V K C'x(t) + V K D K u K {t) + V K D R u R {t), 

z 2 (t) = Q K Cx(t) + Q K D R u R {t). 

Note that the attack set K affects only the output z\ (t). The 
output equation for Z\ (t) can be solved for uk (t) as 

(V K D K y( Zl (t)-V K Cx(t)) 



u K {t) 



- (V K D K ^V K D R u R (t) + u hom {t) , 



where Wh om (£) G Ker(VfcZ?if) = Kci-(Dk) and u R (t) are 
unknown signals, while z\ (t) is known. The Kron-reduced 
system (jT3J can equivalently be written with unknown inputs 
UK{t) and u R (t), known input z\ (t), and output Z2 (t) as 

x(t) =(I - B K (V K D K ^V K C)x{t) 
[Bz Bk B r ] 



z 2 (t) 



u K {t) 
u R (t) 

} K Cx(t) + Q K D R u R (t), 



(16) 



where Bz and Bk are as in ( |10) , and 

B R = B r ~ Bk{VkD k ^V k D r . 

Let S* and Jk be as in ( fTTj ), and consider the orthonormal 
change of coordinates given by T K = [W K P K ] € IR 2nx2n , 
where W K is a basis of S* , Pk is a projection matrix onto 
the quotient space M. 2n \ S*, and T^ 1 = T K . In the new 
coordinates [^1,^2] = [Wk x, Pk x], system ( [TS] ) reads as 
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(17) 



The zero pattern in the system and input matrix of ( [T7| ) 
arises due to the invariance properties of S* , which contains 
Iui(Bk)- For the system ( fT7| > we propose the filter 

Wi<r(t) = (i 22 + G K M K )w K {t) + fl 2 i*i(i) - G K H K z 2 {t), 
r K {t)=M K w K {t) - H K z 2 {t), (18) 

where is chosen such that A22 + GkMk is a Hurwitz 
matrix. Let Hk and Mjf be as in ( ff3| ), which, in these 
coordinates, coincides with HkC\ — and HkG 2 = Mjf. 
Define the filter error e(i) = WK(t)—£, 2 (t), then the residual 
filter (TT~8l written in error coordinates is 



e(t) =(A 22 + G K M K )w K {t) ~ i 22 6(i) - B 23 u R (t) 

-GkHkHC! 6 2 ]t(t) + bu R {t)) 

=(A 22 + G K M K )e(t) - (B 23 + G K H K D)u R {t) 
r K {t) =M K e(t) - H K Du R {t). 

It can be shown that (A22 + GkMk, — (B23 + 
GkHkD), Mk,—HkD) has no zero dynamics, so that 
the residual rK(t) is not affected by K, and every nonzero 
signal u R (t) is detectable from r/<-(i). Consequently, tk {t) 
is identically zero if and only if K is the attack set. Finally, 
in original coordinates, the filter ( ff8] l takes the form ■ 

For an attack set K, we refer to the signal rx(£) in the 
filter ( fl4l ) as the residual associated with K. A corollary 
result of Theorem |4.2| is that, if only an upper bound on 
the cardinality of the attack set is known, then the residual 
rK(t) is nonzero if and only if the attack set is contained in 
K. We now summarize our identification procedure, which 
assumes the knowledge of the network initial condition and 
of an upper bound k on the cardinality of the attack set K: 

(i) design an identification filter for each possible subset 
of {1, . . . , 2n + m +p} of cardinality k; 

(ii) monitor the power network by running each identifi- 
cation filter; 

(iii) the attack set K coincides with the intersection of the 
attack sets Z whose residual rz(f) is identically zero. 

Remark 2: (Detection and identification niters for un- 
known initial condition) If the network initial state is not 
available, then an arbitrary initial state iu(0) £ K 2 " can 
be chosen. Consequently, the filters performance becomes 
asymptotic, and some attacks may remain undetected or 
unidentified. For instance, if the eigenvalues of the detection 
filter matrix have been assigned to have real part smaller 
than c < 0, with c £ R, then, in the absence of attacks, 
the residual r(t) exponentially converges to zero with rate 
less than c. Hence, only inputs u(t) that vanish faster or 
equal than e~ ct can remain undetected by the filter (|7). 
Alternatively, the detection filter can be modified so as to 
converge in a predefined finite time [27]. In this case, every 
attack signal is detectable after a finite transient. □ 

Remark 3: (Detection and identification in the presence 
of process and measurement noise) The detection and 
identification filters here presented are a generalization to 
dynamical systems with direct input to output feedthrough 
of the devices presented in [24]. Additionally, our design 



guarantees the absence of invariant zeros in the residual 
system, so that every attack signal affect the corresponding 
residual. Finally, if the network dynamics are affected by 
noise, then an optimal noise rejection in the residual system 
can be obtained by choosing the matrix G in (|7]i and Gk in 
( fl4| i as the Kalman gain according to the noise statistics. □ 

V. A NUMERICAL STUDY 

The effectiveness of our theoretic developments is here 
demonstrated for the IEEE 14 bus system reported in Fig. 
[T] Let the IEEE 14 bus power network be modeled as a 
descriptor model of the form ([3]), where the network matrix 
A is as in [28]. Following [7], the measurement matrix C 
consists of the real power injections at all buses, of the real 
power flows of all branches, and of one rotor angle (or one 
bus angle). We assume that an attacker can independently 
compromise every measurement, except for the one referring 
to the rotor angle, and that it does not inject state attacks. 

Let k £ N be the cardinality of the attack set. From [7] it 
is known that, for a Static Detector, an undetectable attack 
exists if k > 4. In other words, due to the sparsity pattern of 
C, there exists a signal Uk if), with (the same) four nonzero 
entries at all times, such that Dux{t) £ Im(C) at all times. 



By Theorem 3.2 the attack set K remains undetected by a 



Static Detector through the attack mode «/£•(£). On the other 



hand, following Theorem 3.4 it can be verified that, for the 
same output matrix C, and independent of the value of k, 
there exists no undetectable (output) attack set. 

VI. Conclusion 

For a power network modeled via a linear time-invariant 
descriptor system, we have analyzed the fundamental limita- 
tions of static and dynamic attack detection and identification 
procedures. We have rigorously shown that a dynamic detec- 
tion and identification method exploits the network dynamics 
and outperforms the static counterpart, while requiring, pos- 
sibly, fewer measurements. Additionally, we have described a 
provably correct attack detection and identification procedure 
based on dynamic residuals filters, and we have illustrated its 
effectiveness through an example of cyber-physical attacks 
against the IEEE 14 bus system. 
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